May 08, 2001, 9:38 AM — A new Internet worm that can infect Web servers running Sun Microsystems Inc.'s Solaris operating system and Microsoft Corp.'s Internet Information Server (IIS) has been discovered. The worm first attacks the Solaris server and then sets it up to attack the systems running IIS, the Computer Emergency Response Team (CERT) said Tuesday.
The worm takes advantage of known security flaws in both servers' software to compromise systems and deface Web pages, according to CERT, which has named the malicious code the "sadmind/IIS worm."
CERT, at Pittsburgh's Carnegie Mellon University, said in a statement it has received reports of the worm, although It did specify whether the worm has been found in the wild.
The Solaris system is entered by using a two-year old buffer overflow vulnerability. After that a security hole that was uncovered seven months ago is used to break into the IIS system. Once infected the Solaris system is used to scan and compromise other Solaris systems and IIS systems, CERT said.
Software patches from Sun and Microsoft have long been available to fix the problems. However, as not every Web site administrator is diligent in plugging holes servers could still be vulnerable.
"None of the antivirus vendors have reported the discovery of, or any incidents with, this malicious program (the sadmind/IIS worm)," said Denis Zenkin, spokesman for Kaspersky Lab Ltd., an antivirus vendor. Kaspersky is a member of various international organizations that comprise of the world's leading antivirus companies, he added.
This being the first report could mean one of two things, Zenkin said.
"Either the worm has bugs and will never appear in the wild, in this case it is merely another entry in CERT's virus encyclopedia. This is certainly not the very first malicious program that attacks IIS servers. Or the worm is really something very dangerous and has the opportunity to become widespread," Zenkin said.
If the sadmind/IIS is a danger CERT's attitude towards antivirus vendors can be classified as "unethical," Zenkin said.
"CERT didn't share the virus sample with developers of antivirus programs to allow them to provide their customers with an emergency update," Zenkin said.
Nobody at CERT was available for comment.
Systems that have been hit show certain characteristics. On the Solaris system a directory called "/dev/cuc" will contain tools that the worm uses to operate, for example. The IIS machine will show modified Web pages displaying a rant against the U.S. government and a Chinese e-mail address.
More details can be found on the CERT Web site (http://www.cert.org/advisories/CA-2001-11.html).